I have a pretty good new firewall and new web filter. I am looking into doing SSL decryption and am wondering what people suggest. Should I do SSL decryption for web traffic on the web filter or should I do it on the firewall or should I do it on both?

I'm running a Palo Alto sized for my school district and an iBoss NBC chassis with 6 blades. I don't think I am going to get a performance hit either way. Probably wrong, but I scaled them pretty well.

It pretty much depends, what kind of security services (scanning options) you have purchased with your boxes.

So when you decrypt the ssl connection, there should be a purpose for it. Just to find out the SNI (web domain) of https traffic for web filtering, you should not need to decrypt the traffic.

Also application recognition usually works without decryption (but should be better with decryption - in theory). I can't say how much effect that has on a PAN box, as I don't own one. But since they are basically grown from an application filter, I'd expect, they are pretty good at this, even without decryption.

Decryption is REALLY useful, when you do AV scanning and/or sandbox analytics of files. Si if you licensed these services on PAN, than you need to enable the decryption to be able to use these services for all the traffic - or only 1/3 of the traffic will be scanned with these services.

Do you have the web content filter on your Palo Alto? We have a PA 5220 and we do SSL decryption (in testing on IT sessions only ATM), but our device does content filtering inline as well. Our Network Admin is the one that set it up so I'd have to dig in to the config myself to be of any help and I'm not sure all the pieces he had to configure to get it working. We did have to setup a few exclusions for things not to decrypt as it broke their functionality (certain sites and applications).

I'd defer to kevinmhsieh​; his suggestion sounds most likely to be the correct path forward.

It looks like the Palo can decrypt traffic, send it along to the iBoss, and then re-encrypt the traffic after the iBoss is done with it. This is called security chaining.

If you let the Palo Alto decrypt, then you can better inspect for threats if you have any of the security subscriptions. I see no point in having each device do decryption of the same traffic.

I'm not a PAN expert, so I could be wrong.

Still it sounds pretty strange for me, that one security solution would decrypt SSL/TLS traffic and allow it to pass to the network in an unencrypted form, so another security product could inspect it in addition - in unencrypted form..

Even stranger is the idea, that a 3rd party product would re-encrypt the traffic. First it would not know if the traffic inspected was initially encrypted or not and what makes it even worse - the second box has no chance to know anything about the initial SSL/TLS security options and would break the security as designed by the creator of the web service.

Bojan, the boxes from A10 Networks decrypt traffic so that other devices can see inside, and after all the other devices have seen the unencrypted traffic then the A10 reencrypts the traffic. That's basically all the company does.

There are reference designs to use A10 for SSL decrypt and then Cisco ASA with FirePOWER for security enforcement and logging. Many IPS products and analytics products will take a decrypted traffic feed, but not do decryption themselves.

I think decryption has two main use-cases, and they're 1) Visibility. If you need to see what students are Googling, for example, you have to decrypt that traffic. Or, 2) A/V - like Bojan mentioned, if you want to scan & sandbox their traffic and/or downloads for malware/etc, you should really, really decrypt it.

I mean, you can still block PornHub without decrypting it (SNI, mentioned previously). But something like 90% of the traffic here in the States is HTTPS now, so regardless of the use-case this week, just be prepared for it. It sounds like your school district hasn't been seeing or reporting on search queries/keywords/etc. this entire time, either. That's scary as hell in 2019.